diff options
| author | Olli Hauer <ohauer@FreeBSD.org> | 2016-12-21 10:41:09 +0000 |
|---|---|---|
| committer | Olli Hauer <ohauer@FreeBSD.org> | 2016-12-21 10:41:09 +0000 |
| commit | c97507e0184e47ff7dbf92eebd3b921c852bf23d (patch) | |
| tree | c9c1d955a0b339a4ef9df63fcd1aba154fed9b5c /www/apache24/files/patch-httpoxy | |
| parent | Update to 8.13.1. (diff) | |
- update to 2.4.25
PR: 215457
Reported by: Apache Software Foundation
MFH: 2016Q4
Security: vid 862d6ab3-c75e-11e6-9f98-20cf30e32f6d
CVE-2016-8743
CVE-2016-2161
CVE-2016-0736
CVE-2016-8740
CVE-2016-5387
Notes
Notes:
svn path=/head/; revision=429063
Diffstat (limited to 'www/apache24/files/patch-httpoxy')
| -rw-r--r-- | www/apache24/files/patch-httpoxy | 63 |
1 files changed, 0 insertions, 63 deletions
diff --git a/www/apache24/files/patch-httpoxy b/www/apache24/files/patch-httpoxy deleted file mode 100644 index 9331f3c053ae..000000000000 --- a/www/apache24/files/patch-httpoxy +++ /dev/null @@ -1,63 +0,0 @@ -https://www.apache.org/security/asf-httpoxy-response.txt - -Apache HTTP Server may be configured to proxy HTTP requests as a forward -or reverse (gateway) proxy server, can proxy requests to a FastCGI service -using mod_proxy_fcgi, can directly serve CGI applications using mod_cgi -or mod_cgid or the related mod_isapi service. The project's mod_fcgid -subproject (available as a separate add-in module) directly manages CGI -scripts using the FastCGI protocol. - -It may also be configured to directly host a number of external modules -which run CGI-style applications in-process. The server itself does not -modify the CGI environment in this case, however, these external modules -may perform such modifications of their environment variables in-process. -Such examples include mod_php, mod_perl and mod_wsgi. - -To mitigate "httpoxy" issues across all of the above mechanisms, the most -direct solution is to drop any "Proxy:" header arriving from an upstream -proxy server or the origin user-agent. this will mitigate the issue for any -vulnerable back-end server or CGI across all traffic through this server. - -The two lines below enabled in the httpd.conf file will remove the "Proxy:" -header from all incoming requests, before further processing; - - LoadModule headers_module {path-to}/mod_headers.so - - RequestHeader unset Proxy early - -(Users who have mod_headers compiled-in to the httpd binary must omit -the LoadModule directive above, others must adjust the {path-to} to point -to the mod_headers.so file.) - -If the administrator wishes to preserve the value of the "Proxy:" header -for most traffic, and only eliminate it from the CGI environment variable -HTTP_PROXY, a second mitigation is offered. This patch will address this -behavior in mod_cgi, mod_cgid, mod_isapi, mod_proxy_fcgi and mod_fcgid, -along with all other consumers of httpd's built-in environment handling. - -The bundled httpd modules all rely on ap_add_common_vars() to set up the -target CGI environment. The project will include the recommended patch -below in all subsequent releases of httpd, including 2.4.24 and 2.2.32. -Users who build httpd 2.2.x or 2.4.x from source may apply the patch below, -recompile and re-install httpd to obtain this mitigation. This migitation -has been assigned the identifier CVE-2016-5387 <http://cve.mitre.org>. - -======= Patch to httpd sources 2.4.x and 2.2.x ======= - ---- server/util_script.c (revision 1752426) -+++ server/util_script.c (working copy) -@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r - else if (!strcasecmp(hdrs[i].key, "Content-length")) { - apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); - } -+ /* HTTP_PROXY collides with a popular envvar used to configure -+ * proxies, don't let clients set/override it. But, if you must... -+ */ -+#ifndef SECURITY_HOLE_PASS_PROXY -+ else if (!strcasecmp(hdrs[i].key, "Proxy")) { -+ ; -+ } -+#endif - /* - * You really don't want to disable this check, since it leaves you - * wide open to CGIs stealing passwords and people viewing them |